Elasticserach 7 - Template mangement (#262)

Former-commit-id: 2113b5b3d5

elasticsearch/Dockerfile

@@ -74,6 +74,9 @@ COPY --chown=elasticsearch:elasticsearch ./config/35-entrypoint.sh /entrypoint-s
 COPY --chown=elasticsearch:elasticsearch ./config/35-entrypoint_load_settings.sh ./
 COPY config/35-load_settings_configure_s3.sh ./config/35-load_settings_configure_s3.sh
 COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_users_management.sh ./
+COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_policies.sh ./
+COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_templates.sh ./
+COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_aliases.sh ./
 RUN chmod +x /entrypoint-scripts/10-config_cluster.sh && \
     chmod +x /entrypoint-scripts/15-get_CA_key.sh && \
     chmod +x /entrypoint-scripts/20-security_instances.sh && \
@@ -84,7 +87,10 @@ RUN chmod +x /entrypoint-scripts/10-config_cluster.sh && \
     chmod +x /entrypoint-scripts/35-entrypoint.sh && \
     chmod +x ./35-entrypoint_load_settings.sh && \
     chmod 755 ./config/35-load_settings_configure_s3.sh && \
-    chmod +x ./35-load_settings_users_management.sh
+    chmod +x ./35-load_settings_users_management.sh && \
+    chmod +x ./35-load_settings_policies.sh && \
+    chmod +x ./35-load_settings_templates.sh && \
+    chmod +x ./35-load_settings_aliases.sh
 
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["elasticsearch"]

elasticsearch/config/35-entrypoint_load_settings.sh

@@ -106,17 +106,13 @@ if [ $ENABLE_CONFIGURE_S3 ]; then
 
 fi
 
+
 ##############################################################################
-# Elastic Stack users creation. 
+# Load custom policies.
-# Only security main node can manage users. 
 ##############################################################################
 
-echo "LOAD SETTINGS - Run users_management.sh."
+echo "LOAD SETTINGS - Loading custom Elasticsearch policies."
-MY_HOSTNAME=`hostname`
+bash /usr/share/elasticsearch/35-load_settings_policies.sh
-echo "LOAD SETTINGS - Hostname: $MY_HOSTNAME"
-if [[ $SECURITY_MAIN_NODE == $MY_HOSTNAME ]]; then
-  bash /usr/share/elasticsearch/35-load_settings_users_management.sh &
-fi
 
 
 ##############################################################################
@@ -132,9 +128,30 @@ sed -i 's:"index.number_of_replicas"\: "0":"index.number_of_replicas"\: "'$WAZUH
 # Load default templates
 ##############################################################################
 
-echo "LOAD SETTINGS - Loading wazuh-alerts template."
+echo "LOAD SETTINGS - Loading wazuh-alerts template"
-cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_template/wazuh" ${auth} -H 'Content-Type: application/json' -d @-
+bash /usr/share/elasticsearch/35-load_settings_templates.sh
-sleep 5
+
+
+##############################################################################
+# Load custom aliases.
+##############################################################################
+
+echo "LOAD SETTINGS - Loading custom Elasticsearch aliases."
+bash /usr/share/elasticsearch/35-load_settings_aliases.sh
+
+
+##############################################################################
+# Elastic Stack users creation. 
+# Only security main node can manage users. 
+##############################################################################
+
+echo "LOAD SETTINGS - Run users_management.sh."
+MY_HOSTNAME=`hostname`
+echo "LOAD SETTINGS - Hostname: $MY_HOSTNAME"
+if [[ $SECURITY_MAIN_NODE == $MY_HOSTNAME ]]; then
+  bash /usr/share/elasticsearch/35-load_settings_users_management.sh &
+fi
+
 
 ##############################################################################
 # Prepare Wazuh API credentials

elasticsearch/config/35-load_settings_aliases.sh

@@ -0,0 +1,86 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+
+##############################################################################
+# Set Elasticsearch API url
+##############################################################################
+
+if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
+  el_url="http://elasticsearch:9200"
+else
+  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
+fi
+
+echo "ALIASES - Elasticsearch url: $el_url"
+
+
+##############################################################################
+# If Elasticsearch security is enabled get the elastic user password.
+##############################################################################
+
+ELASTIC_PASS=""
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
+else
+  input=${SECURITY_CREDENTIALS_FILE}
+  while IFS= read -r line
+  do
+    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      ELASTIC_PASS=${arrIN[1]}
+    fi
+  done < "$input"
+ 
+fi
+
+
+##############################################################################
+# If Elasticsearch security is enabled get the users credentials.
+##############################################################################
+
+# The user must get the credentials of the users.
+# TO DO. 
+
+##############################################################################
+# Set authentication for curl if Elasticsearch security is enabled.
+##############################################################################
+
+if [ ${SECURITY_ENABLED} != "no" ]; then
+  auth="-uelastic:${ELASTIC_PASS} -k"
+  echo "ALIASES - authentication for curl established."
+elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
+  auth=""
+  echo "ALIASES - authentication for curl not established."
+else
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
+  echo "ALIASES - authentication for curl established."
+fi
+
+
+##############################################################################
+# Wait until Elasticsearch is active. 
+##############################################################################
+
+until curl ${auth} -XGET $el_url; do
+  >&2 echo "ALIASES - Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+>&2 echo "ALIASES - Elastic is up - executing command"
+
+
+##############################################################################
+# Add custom aliases.
+##############################################################################
+
+# The user must add the credentials of the users.
+# TO DO.
+# Example 
+# echo "ALIASES - Add custom_user password and role:"
+# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_ilm/policy/my_policy?pretty' -d'
+# {  "policy": { "phases": { "hot": { "actions": { "rollover": {"max_size": "50GB", "max_age": "5m"}}}}}}'
+

elasticsearch/config/35-load_settings_policies.sh

@@ -0,0 +1,86 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+
+##############################################################################
+# Set Elasticsearch API url
+##############################################################################
+
+if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
+  el_url="http://elasticsearch:9200"
+else
+  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
+fi
+
+echo "POLICIES - Elasticsearch url: $el_url"
+
+
+##############################################################################
+# If Elasticsearch security is enabled get the elastic user password.
+##############################################################################
+
+ELASTIC_PASS=""
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
+else
+  input=${SECURITY_CREDENTIALS_FILE}
+  while IFS= read -r line
+  do
+    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      ELASTIC_PASS=${arrIN[1]}
+    fi
+  done < "$input"
+ 
+fi
+
+
+##############################################################################
+# If Elasticsearch security is enabled get the users credentials.
+##############################################################################
+
+# The user must get the credentials of the users.
+# TO DO. 
+
+##############################################################################
+# Set authentication for curl if Elasticsearch security is enabled.
+##############################################################################
+
+if [ ${SECURITY_ENABLED} != "no" ]; then
+  auth="-uelastic:${ELASTIC_PASS} -k"
+  echo "POLICIES - authentication for curl established."
+elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
+  auth=""
+  echo "POLICIES - authentication for curl not established."
+else
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
+  echo "POLICIES - authentication for curl established."
+fi
+
+
+##############################################################################
+# Wait until Elasticsearch is active. 
+##############################################################################
+
+until curl ${auth} -XGET $el_url; do
+  >&2 echo "POLICIES - Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+>&2 echo "POLICIES - Elastic is up - executing command"
+
+
+##############################################################################
+# Add custom policies.
+##############################################################################
+
+# The user must add the credentials of the users.
+# TO DO.
+# Example 
+# echo "POLICIES - Add custom_user password and role:"
+# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_ilm/policy/my_policy?pretty' -d'
+# {  "policy": { "phases": { "hot": { "actions": { "rollover": {"max_size": "50GB", "max_age": "5m"}}}}}}'
+

elasticsearch/config/35-load_settings_templates.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+
+##############################################################################
+# Set Elasticsearch API url
+##############################################################################
+
+if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
+  el_url="http://elasticsearch:9200"
+else
+  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
+fi
+
+echo "TEMPLATES - Elasticsearch url: $el_url"
+
+
+##############################################################################
+# If Elasticsearch security is enabled get the elastic user password.
+##############################################################################
+
+ELASTIC_PASS=""
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
+else
+  input=${SECURITY_CREDENTIALS_FILE}
+  while IFS= read -r line
+  do
+    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      ELASTIC_PASS=${arrIN[1]}
+    fi
+  done < "$input"
+ 
+fi
+
+
+##############################################################################
+# If Elasticsearch security is enabled get the users credentials.
+##############################################################################
+
+# The user must get the credentials of the users.
+# TO DO. 
+
+##############################################################################
+# Set authentication for curl if Elasticsearch security is enabled.
+##############################################################################
+
+if [ ${SECURITY_ENABLED} != "no" ]; then
+  auth="-uelastic:${ELASTIC_PASS} -k"
+  echo "TEMPLATES - authentication for curl established."
+elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
+  auth=""
+  echo "TEMPLATES - authentication for curl not established."
+else
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
+  echo "TEMPLATES - authentication for curl established."
+fi
+
+
+##############################################################################
+# Wait until Elasticsearch is active. 
+##############################################################################
+
+until curl ${auth} -XGET $el_url; do
+  >&2 echo "TEMPLATES - Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+>&2 echo "TEMPLATES - Elastic is up - executing command"
+
+
+##############################################################################
+# Add wazuh-alerts templates.
+##############################################################################
+
+echo "TEMPLATES - Loading default wazuh-alerts template."
+cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_template/wazuh" ${auth} -H 'Content-Type: application/json' -d @-

kibana/config/20-entrypoint_kibana_settings.sh

@@ -109,7 +109,9 @@ echo "SETTINGS - Prepare index selection."
 
 default_index="/tmp/default_index.json"
 
-cat > ${default_index} << EOF
+if [[ $PATTERN == "" ]]; then
+
+  cat > ${default_index} << EOF
 {
   "changes": {
     "defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
@@ -117,6 +119,19 @@ cat > ${default_index} << EOF
 }
 EOF
 
+else
+
+  cat > ${default_index} << EOF
+{
+  "changes": {
+    "defaultIndex": "$PATTERN"
+  }
+}
+EOF
+
+fi
+
+
 sleep 5
 
 

logstash/config/01-wazuh.conf

@@ -34,7 +34,7 @@ filter {
     }
     date {
         match => ["timestamp", "ISO8601"]
-        target => "timestamp"
+        target => "@timestamp"
     }
     mutate {
         remove_field => [ "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]